Security researchers from Cofense recently disclosed an alarming trend in the realm of email security threats, shedding light on how threat actors are leveraging secure email gateways (SEGs) to circumvent traditional defenses and infiltrate organizations with malicious emails. While SEGs play a crucial role in shielding organizations from malware, spam, and phishing attacks, they have unwittingly become a tool for threat actors to exploit, allowing them to encode or rewrite malicious URLs and slip them past unsuspecting SEGs.
Max Gannon, threat intelligence manager at Cofense, highlighted that certain SEG products are failing to adequately handle encoded URLs, leading them to incorrectly assume that these URLs are secure. The intricacies of how SEGs process encoded URLs remain somewhat mysterious, but the end result is that these gateways may overlook the true malicious nature of the embedded links, ultimately putting organizations at risk.
In the process of SEG encoding, outbound emails undergo a transformation where every URL is rewritten to direct users through the sender’s SEG infrastructure before reaching the intended destination. This mechanism is meant to enhance security by allowing the SEG to scrutinize the URL for any potential threats before redirecting the user. However, the delay in scanning and the complexities associated with evaluating the legitimacy of each URL can create loopholes that threat actors are now exploiting with heightened frequency.
Recent observations by Cofense indicate a significant uptick in attacks utilizing this tactic, particularly in the second quarter of this year. Threat actors have been increasingly abusing SEG encoding to embed malicious URLs in seemingly innocuous emails, evading detection by SEGs and reaching end recipients with potentially harmful links. The top four email security gateways identified as vulnerable to this approach are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Although this tactic poses a substantial threat to email security, its widespread adoption by threat actors has been somewhat limited due to the additional effort required to encode URLs. Gannon emphasized that while the tactic can be effective in bypassing SEG defenses, it entails a significant investment of time and resources that may not always yield optimal results for threat actors seeking scalability in their malicious campaigns.
In light of these emerging challenges, the onus falls on organizations to bolster their defenses against such tactics by enhancing employee awareness and training. Given the inherent limitations of SEGs in mitigating these sophisticated threats, empowering employees to recognize and respond to suspicious emails can serve as a critical line of defense against malicious attacks. As the threat landscape continues to evolve, organizations must remain vigilant and proactive in safeguarding their digital assets from the ever-present dangers lurking in the digital realm.